Make Linux safer (three)
Tuesday, March 03, 2009 by rain
Study can make your Linux%26#8482;The system can resist more the technology of attack,Include protective guiding process and this locality file, add for service and tiring-room process implement quota and restriction lock, compulsively, enable compulsive visit to control (Mandatory Access Control) ,And the safe flaw that identifies those to may introduce when using new software to update safe facilities.The idea that the part of 1 of this series introduced security and potential menace.The thing that part of 2 listed when planning safe installation, need to be written down sincerely.
In this series article,If why come with a kind of safe method,you will see plan, design, installation, configuration and the system that maintain moving Linux.Beyond problem of the academic overview besides safe notion, installation, potential risk and its action,The practical proposal of the system that you still will get be mixinged about how be being protected consolidate is based on Linux.We will discuss the smallest change installation of installation, consolidate Linux, accredit / attestation, this locality and network safety, attack and how defence is atttacked,And data security, virus and baleful program.
The part of 1 of this series is mixed about safe notion through giving out the general understanding of potential risk lets you begin begin.Part of 2 guides you to have next level,The issue that the need when listing when the plan a safety is installed marks closely,Include to make a detailed safe operation plan among them.
In this part,We will discuss consolidate (Hardening) the measure of Linux.
About consolidate
Should make consolidate action more successful,You should:
Consolidate undertakes before the system receives a network repeatedly,Atttack in order to avoid.Be based onPrinciple of the least limits of authority (Least-privilege Model) Undertake configuration:The system should gift only for specific function the limits of authority that its need.Similar,The user should have the minimal limits of authority that they need only.
Completing initial plan and prepare and carried out the smallest after changing installation (see share of 2) ,You need to have move of a few configuration.These measure are called to be consolidate Linux normally.
Service of protection of protective guiding process and file of this locality of tiring-room process protection execute quota and limitation compulsively to enable compulsive visit to control is updated and add safety patch
Protection conducts a process
Configuration guiding to load implement (LILO or Grub) ,Be not interfered in order to make its by any users when guide;Prevented an user to deliver parameter to the kernel when guiding clew so.Unless you need to guide remotely (be in long-range data center for instance) ,With respect to configuration otherwise it lets it ask to input a password.This is the person to the machine is being contacted on possible physics is farther be on guard;The accidental attack that it can prevent certain incident,Use parameter for instancesingle Orinit=/bin/sh Will obtain Root Shell,Etc.Nevertheless,Should notice,Can keep away from hard slightly this is on guard mechanism (tear open next hard disk driver for instance and hang its carry another system to go up) ,Unless you are right,file system also undertook adding close.
To LILO character,The file is configured in Lilo.conf (be in normally / below Etc) in use parameterpassword Replaceprompt.To Grub,Corresponding parameter is file of Grub configuration (be in normally / below Boot/grub/grub/conf) mediumhiddenmenu,default 0 Andpassword.
In / add in Etc/inittabsp:S:respawn:/sbin/sulogin,Arrive in order to ensure when switch when odd user mode the configuration of moving class asks to input Root password.
Prevent an user to use Ctrl-Alt-Del to undertake introductory afresh:In / the annotate in Etc/inittab is droppedctrlaltdel Row,Ban withctrlaltdel.Pass to similar such group (#ca::ctrlaltdel:/sbin/shutdown -t5 -rf now) add name of a well (# ) ,You can prevent that combination key spark guide afresh.
Protect service and tiring-room process
The first measure of the safe configuration of the service is,Ban with all services that do not need.The service that does not provide won't be used for place of potential the person that inbreak,Reduced a risk effectively.
To find out all services that enable,Need is checked a certain number of the position.Additional,Should ban with insecure service,Use more safe choice to replace them.For example,Telnet is not to add close,So,Use add secret Ssh service to replace Telnet (see share of 2) .
When protection serves,Consider these aspects:
/ the guiding with medium Etc/inittab /etc/init.d script
inetd/xinetd Process TCP encloses tiring-room implement (Wrappers) firewall/ Etc/inittab
In conducting a process,init The process can be read take / the entry in Etc/inittab file.Each entry -- each -- defined which program runs below specific requirement.These programs or itself is a service,Perhaps use at start and suspending a service.
init The process can identify a certain number of callMoving class (Run Levels) (mark by a letter) condition.Should input moving class to perhaps produce specific event (for instance power source breakdown) when,Can inspect those entry,Execute proper order.
/ the format of the entry in Etc/inittab is,The label that entry is in front,It is what to be to run class to issue this entry to want to carry out subsequently,It is behavioral key word and the order that include to command the need of a parameter is carried out next.All these region are separated by colon,Typical entry should be similar such:
my_service:35:once:/usr/local/bin/my_service someparameter
(ininittab The complete list that behavioral key word can find in manual.)
In this give typical examples,The label of entry ismy_service.When the moving class of the input is 3 or 5,It will use parametersomeparameter Will run a program/usr/local/bin/my_service.Once this program is stopped,It will not be started afresh again (behavioral key word " Once " ) .
To protect Linux system,You should understand / the function of all entry in Etc/inittab,Ban with serve needlessly potentially,The method is to delete that entry,Perhaps use well date annotate to drop it in the begin of that group.
In system of all Linux,Can have the following two kinds of entry.The first kind uses the name that start to be/sbin/getty (similar perhaps) program,These are to be used normally allow to pass Linux fictitious console serial perhaps line logins.The second kind of meeting moves / normally the name is in Etc/rc.d catalogrc script,Will run class to give out as parameter currently.This script accuses to subdue Wu start and stop (can introduce next) .
/ the guiding in Etc/init.d script
/ the guiding in Etc/init.d script is used start or stop a system to serve.To each moving class,Have / Etc/rcN.d catalog (" N " the label that is moving class) ,The weak link that included the script that points to those to need to call when moving class is changed among them.
If link a name with " S " begin,Criterion script is carried out when entering that moving stage,Start corresponding service;If with " K " begin,Criterion script is carried out when exiting that moving class,Suspend that service.
Below major case,The name that guides script can allude its place pilot to serve.The meeting in wanting to prevent to running course specificly starts a certain service,The link that guides script accordingly is pointed to in deleting moving class catalog,The empty script that perhaps uses not to do everything is replaced / the original guiding in Etc/init.d script.
Process of Inetd/xinetd tiring-room
Also can need to call a service in the basis when client computer requests.These requests are given super tiring-room course by pass oninetd Orxinetd.Next super tiring-room process should start which service certainly,Deliver the request corresponding tiring-room process.Normally,The service such as Telnet, Ftp, Rlogin is usedinetd Orxinetd Start.
inetd Tiring-room process is in / Etc/inetd.conf is configured,The entry that the service that about each super tiring-room process needs to offer included in that file.The entry that configures FTP server should be similar such --ftp stream tcp nowait root /usr/bin/ftpd in.ftpd -el -- annotate of use well date drops it,Can ban with it.
For safe for the purpose of,Suggest to usexinetd.Withinetd Compare,xinetd Can start the service that is based on Rpc,Support a visit to control.xinetd Can restrict enter connective speed, come from specific lead plane enter connective amount,Or the total join of a certain service is counted.
Through be being used at the independent configuration of process of every appurtenant tiring-room the file is configuredxinetd .These files are located in / in Etc/xinetd.d/ catalog.The give typical examples of FTP server configures a file to should call Called /etc/xinetd.d/ftp in front,Similar such:
Detailed list 1. Configuration file,/ Etc/xinetd.d/ftp
service ftp
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/bin/ftpd
server_args = -el
disable = yes
}
With this service to ban,Parameterdisable Be installed to beyes,Place of give typical examples of as above face is shown.
For more detailed visit control,xinetd Support is the following another three parameter:
only_from no_access access_time To limit a visit,But ban not completely with process of Ftp tiring-room,You can alter configuration document as follows / Etc/xinetd.d/ftp:
Detailed list 2. The configuration document that has altered to limit a visit,/ Etc/xinetd.d/ftp
service ftp
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/bin/ftpd
server_args = -el
disable = no
only-from = 192.168.200.3 192.168.200.7 192.168.200.9
only-from += 192.168.200.10 192.168.200.12 172.16.0.0
no_access = 172.16.{1,2,3,10}
access_times = 07:00-21:00
}
only-from Andno_access Can accept address of digital IP (most of right zero handle as aleatoric numerical value) , IP address / name of limits of code of network attack by surprise, leader and / the network name in Etc/networks.If combination is usedonly-from Andno_access,xinetd Can search what be close to most to match for join of every lead plane.
In the code give typical examples in front,The leader that states IP address is 172.16.x.x can receive this leader repeatedly,But the address belongs to 172.16.1.x, 172.16.2.x, 172.16.3.x and 172.16.10.x cannot join.Visible,Should useno_access When uses factor symbol,Four all parts that do not need to appoint an address.Factor part must be an address most the part of right.Consult the part of reference material below,In order to obtain aboutxinetd The article that reachs its to configure.
TCP is enclosed implement
If you decide to be not usedxinetd,Use howeverinted,So you can use TCP to enclose implement come to those who record request and pair of specific specific networks allow / refuse.TCP is enclosed implement can be checked for attestation and record daily record/etc/hosts.allow And/etc/hosts.deny,Ask client computer to enclose rise,Do not respond to them directly.Once attestation is successful,The service that the request can be gone to to request so by transmit.
The photograph is common to usinginetd,Use TCP is enclosed implement have two main profit:
The client computer that issues a request won't be aware of TCP to enclose implement;Because of this,The person that does not have disloyalty won't discover any distinction,And any information that the person of cherish against the law also cannot get the request about them to fail.TCP is enclosed implement the job won't pay attention to any services that had been enclosed,The configuration document that lets apply a program to be able to share them,Simplify thereby management.
Should obtain enclose about TCP implement the detailed documentation that configures a file,Consult list in reference material pleaseRed Hat Linux Reference Guide.
How find everybody to be able to be written (World-writable) file
The file that should find out everybody to be able to be written,Use this order:
find / -perm -002 \( -type f -o -type d \) -ls
Among them:
/ The position of rest that is a search.-perm Check attributive.002 Express (octal symbol) " Other " installed write.Before mode 002- Expressed to install droit spacing (the Zero-bits in considering pattern) .-type f Or-type d The file that searchs convention and catalog.-ls List with Ls format the document that find.Firewall
The communication of the service that serve with what should not move to be on guard or should be not visited by the specific network place such as Internet,The proposal installs a firewall.Firewall provides the controlled communication that trustful level is based on between the network,And the visit that balance uses the safety that is based on a part to strategy and principle of the least limits of authority allow or decline pair of specific services.
The installation of firewall and configuration are a very complex topic,Not be in the discussion limits of this series article.
Protect system of this locality file
Protecting what system of this locality file involves is file and catalog is possessory reach the attributive that visits them.Should protect file system,The protection of file and catalog must install to grant minimal limits of authority only.
The impropriety limits of authority that wants the file that special attention can keep about everybody and systematic list,And so calledsetuid Orsetgid Command.The limits of authority that the user attributive when these commands move has more actually than running this jussive user is taller.This may be indispensible for the file that to the visit only Root ability can be visited (for instance / Bin/passwd needs a visit / Etc/passwd) .To these commands,Want to ensure they need each times to install reallysetuid/setgid .If not be such,So ban with it.
All files that go up when a certain partition do not need reallysetuid/setgid When,/ in Etc/fstabnosuid Every file that option can feel corresponding file system is medium is banned with it (in the give typical examples below / Dev/hdc1) :
#device mountpoint filesystemtype options dump fsckorder
/dev/hda1 / ext2 defaults 1 1
...
/dev/hdc1 /mnt/cdrom iso9660 nosuid,user 1 2
In addition,To all and sensitive data,Be necessary to undertake adding to its close use a password to protect it.For this,GnuPG offerred an appropriate software to wrap.
Implement quota and restriction compulsively
Linux PAM (insert type attestation module,Pluggable Authentication Modules) can implement a few practical restriction compulsively,In / configuration undertakes to this in Etc/security/limits.conf file.Write down sincerely,These limitation apply to individual dialog.You can be usedmaxlogins Will control amount to restrict.The entry in Limits.conf is like next structures:username|@groupname type resource limit.
With Username distinction for,Must add before Groupname@.The type must besoft Orhard.Soft limitation (Soft-limit) can be exceeded,It is cordon only normally,And stiff restriction (Hard-limit) cannot be exceeded.resource Can be one of key word below:
core - the size that limits kernel file (KB) .data - size of the biggest data (KB) .fsize - size of the biggest file (KB) .memlock - the biggest lock decides memory address space (KB) .nofile - the largest number that opens a file.rss - size of the biggest abiding setting (KB) .stack - size of the oldest warehouse (KB) .cpu - with minute the time of most CPU that is an unit.nproc - the largest number of the process.as - address space is restricted.maxlogins - the largest number that this user allows to login.In the code give typical examples below,Every conversation restricts all users in 10 MB,Allow to at the same time four login.The third bans the kernel dump that used everybody.The fourth eliminate userbin all limitation.ftp 10 of be patient of intercurrent conversation (use actually especially to account of faceless Ftp) ;managers The process amount limitation of the member of the group is 40.developers The Memlock that has 64 MB is restricted,wwwusers the member cannot found the file that is more than 50 MB.
Detailed list 3. Set quota and restriction
* hard rss 10000
* hard maxlogins 4
* hard core 0
bin -
ftp hard maxlogins 10
@managers hard nproc 40
@developers hard memlock 64000
@wwwusers hard fsize 50000
First-rate quota experience
Each partition that you should write to allow an user enables quota.The user ID that there is a few to belong to applied process in also wanting to consider your system,is not individual user.Those ID may have pair of certain list write attributive,And the person does not have this kind of attributive.
Add to Cronjobs/sbin/quotacheck -avug,The quota document that uses currently with updating a kernel automatically and watch.
Should activation these limitation,You need to be in / Etc/pam.d/login bottom is added below group:session required /lib/security/pam_limits.so.
The Inode amount that quota allows you to be able to restrict user and group and usable space.Notice,Quota is in what define on dot of every to load,So,If the user is in a certain number of have on partition write attributive,Should ensure for them every define quota so.
Quota is an administrator the smallest a kind of way that changes DoS charge,This kind of attack is a method with all usable spaces on driver of cram hard disk (this meeting makes other course cannot be founded temporarily file and make they fail) .Publishing edition in what use according to you,You can install the quota tool that takes oneself,OK also him download, compile and install them (refer to reference material) .
Quota must be enabled in the kernel.Current much issues version to support quota.If your emission version did not enable quota,The Mini-howto in of so referenced reference material will obtain the specification that enables them.
Should enable quota for file system,You must be in / it is in Etc/fstab add an option accordingly all right then.Useusrquota Andgrpquota Will enable user quota and group quota,Show like place of detailed list 4:
Detailed list 4. Enable user quota and group quota
/dev/hda1 / ext3 defaults 1 1
/dev/hda2 /home ext3 defaults,usrquota 1 1
/dev/hda3 /tmp ext3 defaults,usrquota,grpquota 1 1
/dev/hda4 /shared ext3 defaults,grpquota 1 1
/dev/hdc1 /mnt/cdrom iso9660 nosuid,user 1 2
Next,Usemount -a -o remount Hang afresh hold corresponding file system,The option that will activation to a moment ago was added;Use nextquotacheck -cugvm Found file of quota of a binary system,Included a machine among them the quota of readable format is configured.This is the document that quota subsystem should handle.
Use tooledquota The assign of the quota that finish.Want to be an useralice The definition is restricted,Useedquota -u alice Will call it.Environmental variableEDITOR The editor that defines in (acquiesce is Vi) can open,Have among them similar the content that be as follows:
Quotas for user alice:
/dev/hda2: blocks in use: 3567, limits (soft = 5500, hard = 6500)
inodes in use: 412, limits (soft = 1000, hard = 1500)
" In Use " the value just provides information for you,Cannot be revised -- what you can revise is soft limitation and stiff restriction only.After save and exiting an editor,edquota Can read take you a moment ago editorial temporarily file,Pass those costs binary quota document,In order to make your modification become effective.Identical to the editor of matched stack forehead and this,Just must use-g Option is not-u.
Soft limitation is admonitory level,Can be exceeded,And stiff restriction is severe compulsive.Soft limitation hasWide deadline (Grace Period) (also call sometimesSoft time is restricted (Soft Time Limits)) ;This is to allow an user to exceed soft limitation till the time-interval before be being carried out compulsively by the system.
You can be usededquota -t Will set wide time limit.The unit that can use is second, cent, hour, day, week and month.The economic tool of other government quota includesrepquota(the quota that sums up system of a certain file) ,quotaon Andquotaoff(open and shut quota) .
Enable compulsive visit control
The compulsive visit that comes true through SELinux place is controlled (perhaps saying is MAC) ,You can achieve farther security.Use MAC,The user that the license in the operating system belongs to by process place / group ID and the boy or girl friend that should be being visited (file) the user that belongs to / group ID will manage.Additional,Use MAC,Linux can be every separate course compulsively to implement these strategy,They can control a process to be able to do what business.
In that way,In the system that use MAC has be configuringed appropriately,Cannot be take-overed quite by the service of foreign control or attack system.The user that is a process to run place to belong to or group ID (worst case:Root) may with / the photograph of attributive of crucial system file such as Etc/passwd matchs,That strategy also prohibits in time be being visited to theirs.
The tests a system to be able to show a SELinux effectiveness on Internet,It allows anybody to login;Control mechanism prevented all baleful action,Although the user can login with Root identity!
Add provider GnuPG close key
Issue version provider GnuPG the one part that close key should have been basic configuration.The close key that you can use this command to add the tripartite provider that you trust:$ rpm -import %26lt;keyfile%26gt;.
You should ensure is the means with safety obtains close key document,For example,Carry up and down from the Web site of the provider through HTTPS,Such you are OK certificate of desired result connective.
Nevertheless,Use SELinux also has a few problems.Above all,If issue version provider not to support MAC,So it is quite difficult that its are configured.The likelihood needs to hit patch and compile a kernel afresh,Replace specific systematic government tool (all these affect the supportive strategy that issues version provider possibly) .The second,Defining a proper strategy is very complex task.If do not have practicable strategy to define the application that offers you,the program chooses,So be made in MAC environment and carry out this politic meeting special hardship.It is more difficult to be being done so for certain use state that this makes,The desktop workstation that needs the software package with a lot of more phyletic support for instance.
Update and add safe patch
To let a system keep safe as far as possible,What you need to understand the software that is used at you in time is new edit and patch.These information can be passed a certain number of channel gets,Nevertheless,Normally software provider and Linux issue business to should provide these information in time for you.You also can be used (almost forever free) CERT (Computer Emergency Response Team) service.They can be maintained normally communicate the mailing list that waits for information about newest proposal, flaw.
Should have new when can be being used newlier,The system that you should examine it to whether apply to you and your safety needs.Installation updates itself to may cause safe problem.Additional,Want to may introduce new loophole newlier considering every,If update,perhaps fail,Your system may stop in the position that cannot use.
Should install in large-scale system a certain when updating,You cannot undertake updating entirely to them at the same time normally -- the many systems that this may cause you are mutual during update incompatible.
Visible,Newer system can involve a lot of risks.A few proposals that reduce these risks are here:
After initiative installation,Do not receive your system the network repeatedly instantly.Go to all and relevant newer download an alone machine,Transmit them by hand next,Expose in order to ensure the system is in in the network current condition has been been in before going up (Current State) .
Have system of practicable near future to back up from beginning to end.
To each crucial system in business,You should have the independence with a hardware with product environment and same software to check an environment.Obtain in checking an environment above all about updated experience,The accident appears when running product system in order to prevent.
Below good case,You should have prepared a regression to check,After before replacing all programs that include a system inside, be being mixed, mix to proper function function undertakes contrast.At least,Should ensure have but reduplicative and the quality that documentation changes controls an examination,Affect in order to make sure the Wu of main function kimono in the environment checks before modification product environment won't get.
To small-sized network,Manual installation is updated or the license goes,But when scale is larger handled very quickly hard.This cannot be installed newlier via often can be being brought about.The system of the open perhaps source code of use commerce manages or software distributes the job to simplify updated deploy.
We had reminded you to had better prepare a backup at hand?We remind again even.
The plan that makes an installation update,Consider:The systematic system with the crucial to your business order that replaces a system how which system includes interdepend confidential data
When should making check a tool with integrality (intense proposal is used to the server at least) ,To can identify those who give an accident to change,Should remember updating a system to take up below foregone and safe condition the base line of memory.
Before installing any editing,The completeness that should use a password to examine to check software with the tool and authenticity (especially from Web site or when Ftp server carries up and down) .In Linux domain,Normally use MD5 is mixed / or SHA-1 examines and.If software is offerred with the form that RPM includes,So the provider should have offerred a GnuPG to sign.You can move
$ rpm -v --checksig %26lt;name%26gt;.rpm The command will check it.Successful response should be"%26lt;name%26gt;.rpm: md5 gpg OK";Unsuccessful can be"%26lt;name%26gt;.rpm: md5 GPG NOT OK".You can be used$ md5sum %26lt;name%26gt;.rpm Or$ sha1sum %26lt;name%26gt;.rpm Will affirm MD5 or SHA-1 examines and.If a certain file of your download is medium,include examine and can use at many files (Md5sum.asc or %26lt;name%26gt;.md5 are called below major case) ,So you can be used$ md5sum -c md5sum.asc.
Pay all executing your stabilization plan
Like this series the place in part of 2 discusses,The system that the stabilization plan application that will change documentation now reachs to had been installed.Clear up what process to moving in the practically in your system,Ban with what do not need those.Should examine abnormal behaviour regularly;Sealed process may provide needless service,The damage of adumbrative system.
This section introduces how to be found out to you and ban with those needless (potential risk) process,And how to prepare fixed audit for the system.
Find out and ban with needless process
Below good case,Each process that you should understand to move in the system in you.The list that should achieve all progresses,Can execute an orderps -ef(POSIX style) orps ax(BSD style) .The process that what process name has square brackets is kernel class,Execute auxiliary function (keep cache disk for instance) ;All and other course is process of the person that use.You can notice,It is in you of new setup (the smallest change) in the system,Also can have a lot of processes moving.Be familiar with them,In recording them to documentation.
Network monitoring tool
These tools can be helped undertake network monitoring:
Nmap (Network Mapper) it is a free tool opening a source,Can use at network explore examine and safe audit.The system that it uses to check you after the installation that finish and setting.IPTraf is an is based on console network statistic tool that is used at Linux.It collects all sorts of data,For instance data of TCP join is wrapped and statistic of byte computation, interface and mobile indicator, TCP/UDP transmits bag of data of workbench of attenuation, local area network and byte computation.Multi Router Traffic Grapher (MRTG) it is a tool that is used at load is being transmitted on monitoring network link.MRTG can make the HTML page that includes a figure,Transmit for this provide vivid visible description.The give typical examples that refers to page of MRTG index to go up.
Let us see progresses of those open network connective now;The potential possibility that they are atttacked is the largest.Should obtain all TCP or list of UDP connective,Executive commandnetstat -atu(accessary name is analytic,Legible) ornetstat -atun (analytic without the name,Faster) .In this list,Should notice condition is particularlyLISTEN TCP joins and all UDP join,The join that because the server passes these join to receive,comes.
If server monitor 127.0.0.1/localhost,So it can by systematic itself (annulus answers interface) the visit arrives.Accordingly its expose degree to want far under monitor exterior can amount to interface even 0.0.0.0 (= * ,If open a name analytic) server,Latter and OK visit by place of aleatoric network interface.
If you had been usednetstat -atun,So you need oneself to translate port number.Can be in / go searching them in Etc/services.Use additional parameter-p Will show corresponding progress,Show like place of detailed list 5.
In this give typical examples,You can conclude a Portmapper and Graphical User Interface (X) it is specific server place do not need.Portmapper offers standard end points for all sorts of NFS services that are based on RPC (Endpoint) ;The system does not offer NFS to share.Use as when the system window of the X when workstation is useful,But the use on the server suffers be restricted.
Decide what how be started to these processes are (through / Etc/inittab,Through guiding script,Etc) what before be like, narrate ban in that way with them.If the program is,start by another program,So this task may have challenge sex more:X server is likely very by indication management implement start,For instance Xdm, Kdm or Gdm,In its itself can not appear in Inittab or leading script list.
The join with Netstat listed place is not automatic all computers that can go up by the network will use.Before any data bags arrive at open join,The firewall that is based on function of the buy inside Linux can dominate a visit further.
Audit preparation
After installing basic system to be configured surely,Your ultimate goal is the safety that maintains a system.What give pair of systems to identify is needless revise,Use audit tool will record be in a hope is foregone and the memory of the system of safe condition takes up,Detect the modification to it.
Last word
This period the article was revealed to you how consolidate your Linux system,Guide process and this locality file to system, lock serves surely and implement quota and restriction tiring-room process, compulsively through protection namely, enable compulsive visit control, find out the safe flaw that when using new software version to update security, may introduce.When configuring security parameter,The concept that follows principle of the least limits of authority please.Additional,Want to understand what move in your systemAll Process,Ban in order to make you OK with what do not need those,Prevent them to make the way of cardiac of safety of Linux environment that enters you.
Next first phase thorough research SELinux,Give out for you the notional data about how using it and practice data.
Textual link:Http://www-128.ibm.com/developerworks/cn/linux/l-seclnx3/index.html